mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-08-04 00:48:58 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

bpo-30730: Prevent environment variables injection in subprocess on Windows. (#2325)

Browse source 
Prevent passing other invalid environment variables and command arguments.
This commit is contained in:
Serhiy Storchaka 2017-06-23 19:39:27 +03:00 committed by GitHub
parent d352d68977
commit d174d24a5d
5 changed files with 72 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Lib/subprocess.py
View file

@ -1238,8 +1238,12 @@ class Popen(object):
# and pass it to fork_exec()
if env is not None:
env_list = [os.fsencode(k) + b'=' + os.fsencode(v)
for k, v in env.items()]
env_list = []
for k, v in env.items():
k = os.fsencode(k)
if b'=' in k:
raise ValueError("illegal environment variable name")
env_list.append(k + b'=' + os.fsencode(v))
else:
env_list = None # Use execv instead of execve.
executable = os.fsencode(executable)